McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor.Iterator (Dialogue Science)

• Backdoor.Sinit (NAV)

• Trojan.Win32.DirectPlugin.a (AVP)

Characteristics

Update: 12/10/2003
This threat is considered to be a Low-Profiled risk due to media attention at:  http://www.taipeitimes.com/News/worldbiz/archives/2003/12/10/2003079077

This detection is for a remote access trojan written in MSVC. Multiple variants have been received by AVERT, with the file sizes indicated above.

The files have been packed with UPX. Users are reminded that the scanning of compressed files is required for detection.

Installation

Upon execution, the trojan installs itself into the %SysDir% directory as SVCINIT.EXE.

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

For example:

C:\WINNT\SYSTEM32\SVCINIT.EXE

The following Registry keys is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices "SVC Service" = "%SysDir%\SVCINIT.EXE"

The value of the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon "Userinit"

is modified from:

%SysDir%\userinit.exe

to:

%SysDir%\userinit.exe %SysDir%\SVCINIT.EXE

The following Registry key is also created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlugin

Remote Access Functionality

Once running on the victim machine, the server component opens a random UDP port, to accept commands sent from the hacker.

Symptoms

• An expected UDP port being opened
• Existence of the files/Registry keys detailed above

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• BackDoor.Iterator (Dialogue Science)

• Backdoor.Sinit (NAV)

• Trojan.Win32.DirectPlugin.a (AVP)

Characteristics

Characteristics -

Update: 12/10/2003
This threat is considered to be a Low-Profiled risk due to media attention at:  http://www.taipeitimes.com/News/worldbiz/archives/2003/12/10/2003079077

This detection is for a remote access trojan written in MSVC. Multiple variants have been received by AVERT, with the file sizes indicated above.

The files have been packed with UPX. Users are reminded that the scanning of compressed files is required for detection.

Installation

Upon execution, the trojan installs itself into the %SysDir% directory as SVCINIT.EXE.

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

For example:

C:\WINNT\SYSTEM32\SVCINIT.EXE

The following Registry keys is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices "SVC Service" = "%SysDir%\SVCINIT.EXE"

The value of the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon "Userinit"

is modified from:

%SysDir%\userinit.exe

to:

%SysDir%\userinit.exe %SysDir%\SVCINIT.EXE

The following Registry key is also created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlugin

Remote Access Functionality

Once running on the victim machine, the server component opens a random UDP port, to accept commands sent from the hacker.

Symptoms

Symptoms -

• An expected UDP port being opened
• Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A